Telegram API flaw leaks 15 million Iranian users’ data

Two independent security researchers claim that an Iranian hacking group managed to obtain public information and phone numbers from15 million Iranian users of the Telegram messaging app. Telegram an immensely popular messaging app in the country and almost one-fourth of the population are using the app daily.

Soon after this news was published by Reuters, The Telegram team responded with an interesting public announcement:“Keep Calm and Send Telegrams!”

“Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”

Telegram team added, “Such mass checks are no longer possible since we introduced some limitations into our API this year.”

The news also highlights that more than a dozen accounts were fully compromised by the hackers and according to Collin Anderson and Claudio Guarnieri who investigated this case, the vulnerability is sending authorisation codes via SMS text messages to activate new devices and these can be intercepted by the phone company.

Telegram introduced two-factor authentication last year and also advised users to enable 2FA to prevent interception of SMS-verification codes via a mobile carrier. But as this feature is not enabled by default and due to limited knowledge about security among the general public, this window of opportunity remains relatively open for the hackers.

Collin Anderson is an independent cyber-security researcher and Claudio Guarnieri is an Amnesty International technologist. Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas today.